Header graphic for print

HL Chronicle of Data Protection

Privacy & Information Security News & Trends

Posted in Consumer Privacy, Privacy & Security Litigation

California Legislature Advances UAS Legislation

shutterstock_149083385For the past several years, California’s Legislature has actively sought to regulate unmanned aerial systems (“UAS”), including, but not only, through privacy-related legislation.

In the 2014 session, one bill (AB 2306) passed and was signed by Governor Brown.  It bans the use of UAS to capture images or record voices of people without their permission, and is widely regarded as an anti-paparazzi law, aimed at protecting the many celebrities – and their children – in California’s entertainment industry.  However, the wording of the bill more broadly protects individuals’ privacy from visual or audio recording in a manner that is “offensive to a reasonable person … under circumstances in which the [person] had a reasonable expectation of privacy” if the recording could not have been made without either trespassing or using special equipment (such as a UAS).  The bill is codified at California Civil Code section 1708.8.

In the 2015 session, the California Legislature introduced five more bills, covering a range of issues. Continue Reading

Posted in Consumer Privacy, Cybersecurity & Data Breaches

Analysis of FTC v. Wyndham: Third Circuit Affirms FTC Authority to Regulate Data Security

shutterstock_127192658

On Monday, August 24, 2015, the U.S. Court of Appeals for the Third Circuit issued its opinion in FTC v. Wyndham Worldwide Corp upholding the authority of the Federal Trade Commission (“FTC”) to oversee cybersecurity practices. The Wyndham case first made headlines in June 2012, when it became the first cybersecurity enforcement action to be litigated instead of being resolved by settlement. Wyndham Worldwide Corp. (“Wyndham”) moved to dismiss the FTC’s claims that allegedly insufficient cybersecurity practices constituted unlawful “unfair” and “deceptive” business practices, arguing that the FTC’s unfairness authority did not extend to cybersecurity, and that the statements in its online privacy policy were not deceptive. Since that time, the case has been closely watched as the District Court for the District of New Jersey and the Third Circuit Court of Appeals considered the issue of whether the FTC had authority to regulate cybersecurity under the unfairness prong of § 45(a) of the FTC Act.

The Third Circuit affirmed the ruling of the district court, finding that the Third Circuit found that the FTC has authority to regulate cybersecurity under the unfairness prong of § 45(a) of the FTC Act and that neither the plain meaning of “unfairness” nor congressional action in the area of cybersecurity negate such authority. The Third Circuit also found that, to satisfy due process, a company need not have had “fair notice” of the FTC’s interpretation of what specific cybersecurity standards are required to avoid liability under the unfairness prong of § 45(a), but only “fair notice” that cybersecurity practices can form the basis of an unfair practice under § 45(a)—notice the court found to exist here. Continue Reading

Posted in International/EU Privacy

Influential OECD Report Sets Out Future Challenges for the Digital Economy

OECD_logo_new.svgThe Organisation for Economic Co-operation and Development (OECD) has published its 2015 Digital Economy Outlook (“Report”), a survey of changes and opportunities in, and challenges arising from, the digital economy.  The Report identifies three broad trends for member countries and their partners to focus on in digitising their economies: Continue Reading

Posted in Cybersecurity & Data Breaches

FTC v. Wyndham: Third Circuit Affirms FTC Authority to Regulate Data Security

shutterstock_85035682

The United States Court of Appeals for the Third Circuit’s much anticipated ruling in FTC v. Wyndham has now been released. The court affirmed the FTC’s authority under section 5 of the FTC Act to seek consent decrees or bring enforcement actions against companies that allegedly failed to put in place reasonable cybersecurity practices to protect consumer data. The court also affirmed the district court’s finding that the Federal Trade Commission provided sufficient “fair notice” to Wyndham regarding the cybersecurity practices the agency deems reasonable to avoid liability under the FTC Act. With this decision, the case will now move forward to the merits phase at the district court. A more detailed analysis of this decision will be posted here shortly.

For our previous blog post on FTC v. Wyndham, click here.

Posted in Cybersecurity & Data Breaches

NIST Requests Input on Revised Cryptographic Standards

500px-NIST_logo.svgOn August 12, the National Institute of Standards and Technology (NIST) published a Request for Information (RFI) to help develop the next generation of technical encryption standards used by the U.S. Government and federal contractors to protect sensitive information. The new standard will update Fair Information Processing Standard (FIPS) 140-2, which has provided the baseline requirements for the development, testing, and validation of cryptographic modules since 2001. While the RFI seeks input on several questions, NIST is primarily interested in the risks and benefits of transitioning—in whole or in part—to a competing standard developed by the International Standards Organization and International Electrotechnical Commission: ISO/IEC 19790:2012. Continue Reading

Posted in Consumer Privacy

FTC Settlement Reinforces Lessons for Data Broker Industry

FTC LogoThe FTC has brought a number of actions over the years against companies that shared or failed to protect consumer information in violation of privacy policy promises or transferred data in violation of specific laws, such as the Fair Credit Reporting Act.  In what may be viewed as charting new territory, the FTC recently brought a second action against a data broker for selling payday loan application information to entities that were not engaged in making any kind of loans to consumers. Both sets of defendants purchased payday loan application information from online payday loan websites where consumers provided personal information, including financial institution account information, on the applications.  The defendants purchased the application information from the websites and sold the information to third parties who did not make payday loans to consumers, but rather made unauthorized charges to consumers’ accounts.  The Commission alleged that the selling of such sensitive information was unfair. Continue Reading

Posted in International/EU Privacy

Russia Introduces a Right to be Forgotten

Russian FlagWith the aim of keeping pace alongside European practice, on July 13th 2015, the Russian President signed into law a bill amending the Federal Law “On Information, information technologies and on protection of information” No. 149-FZ of 27 July 2006. This law (the “Law”) introduces in Russia the so-called “right to be forgotten” or “right to oblivion” and will take effect on January 1st 2016.

Under the Law, upon receiving a request from an individual, search engines must cease listing links to Internet pages with information on the individual where such information is:

  • unlawfully disseminated;
  • untrustworthy;
  • outdated; or
  • irrelevant (i.e. it has lost its importance to the individual due to subsequent events or actions of the individual).

Continue Reading

Posted in International/EU Privacy

Recap on the ICO Stance on Data Security

ICO Logo

The UK’s Information Commissioner’s Office (ICO) is known to prefer an “engaging” rather than an enforcement approach with organisations.  However, when looking at the “action we’ve taken” page on the ICO website the ICO’s enforcement activity seems to be increasing by the day.  While the ICO has stated that it wants to focus its enforcement efforts going forward on unsolicited marketing, such as nuisance messages and calls, breaches of security requirements have to date attracted the majority of the ICO’s enforcement attention.  Therefore, organisations operating in the UK would be well-served to focus on understanding and adhering to the ICO’s expectations for data security compliance. Continue Reading

Posted in International/EU Privacy

Russia Update: Regulator Publishes Data Localization Clarifications

ARussian Serverss we reported last week, on 3 August 2015 the Russian Ministry of Communications, the agency that oversees the Russian data protection authority which will be enforcing Russia’s Data Localization Law, published unofficial clarifications on its website that provide a view into how the Ministry believes organizations must comply with the law. While these clarifications are non-binding, they constitute the only written regulatory guidance that has been published to date about the law, which takes effect on 1 September and requires organizations that collect personal data from individuals located in Russia to store that data within Russian territory.  The Ministry’s website also provides a mechanism to ask further questions online.

In this blog post, we summarize the main issues raised in the published clarifications, and the possible impact on global businesses seeking to comply with the law. Continue Reading

Posted in International/EU Privacy

French Surveillance Law Permits Data Mining, Drawing Criticism from Privacy Advocates

French BinaryAdopted by Parliament in June 2015, France’s new surveillance law was ratified by the President on July 24, 2015 and published in France’s Official Journal on July 26, 2015.  France’s Constitutional Court (“Court”) reviewed the law prior to its ratification and issued an opinion on July 23, 2015 requiring deletion of certain measures that the Court felt were incompatible with constitutional principles.  However a number of observers were surprised that the Court validated a provision of the law allowing intelligence agencies to deploy algorithms to analyze traffic and log data to detect potential terrorist threats.  To some lawyers, analyzing the traffic and log data of the entire population of France violates the proportionality principle set forth in the European Court of Justice’s Digital Rights Ireland decision. Continue Reading